Create strong passwords from easy-to-remember strings
==============

**strong-passgen** allows you to create a strong password from relatively simple strings in an easy method.

Pick a password seed and a service-specific name, and run the script like this:

    $ ./passgen
    Enter your salt: # for example, "banana"
    Confirm: # repeat it.
    Enter your string: example.com # creating a password for https://example.com
    o]o~\sfqFiws]_^iy^=|[nwnwsyyn{mV
    Copy and press enter to finish

Or, alternatively, put the service name explicitly as an argument for the script:

    $ ./passgen example.com
    Enter your salt: # for example, "banana"
    Confirm: # repeat it.
    o]o~\sfqFiws]_^iy^=|[nwnwsyyn{mV
    Copy and press enter to finish

Remember to clear the clipboard after copying your password!

## Graphical Interface ##

`strong-passgen` now comes with a **graphical interface** that makes it much easier to use in text-poor environments such as Microsoft Windows and Mac that don't play very well with copying text from the command-line. It requires Python's PyGTK module, which is available from most package managers and also bundled in portable versions of Python for Windows.

To use it graphically, double-click the `main.py` file, enter a password seed and an identifier and click Generate. You can now copy the password and paste it easily into other programs and websites.

## Motivation and improvements ##

This is a fork of the Password generator from the one in JXSelf's post:

https://jxself.org/password-generator.shtml

In his original proposal, Jonathan suggests taking a hash of a relatively weak password composed of a password seed (called there a "salt") combined with a service-specific identifier (called a "string") and encoding it with base64 to produce a 32-character strong-looking password.

However, it ocurred to me that perhaps these passwords may be easy to reverse in case it becomes known that you indeed generate your passwords using this method. All the attacker has to do is realize that the password looks like a base64-encoded string (easy to infer from the pattern of the string).

My modifications over the original algorithm initially included the insertion of additional methods for making the reversibility harder, and the usage of more non-alphanumeric characters through the usage of tr. However, seeing that not all base64 shell implementations work in the same way (especially for decoding), strong-passgen now implements a different algorithm, involving multiple hashing and sampling based on the input of the program.

## Limitations and security considerations ##

`strong-passgen` is a password *generator*, not a password *manager*. Functions such as secure storage and retrieval, autocomplete macros are completely out of scope. Please note that this also includes the clearing of the clipboard after the password has been used as well. You should immediately copy something else after usage to avoid having your password pasted somewhere unintendedly.

This software has NOT been audited from a security standpoint (I welcome somebody to do it anytime, though), and therefore should NOT be considered fail-proof. Use `strong-passgen` at your own risk!
